Invalid keystore format with SSL in Tomcat 6
I'm trying to setup SSL in my local Tomcat 6 installation. For this, I followed the official How-To doing the following:
$JAVA_HOME/bin/keytool -genkey -v -keyalg RSA -alias
tomcat -keypass changeit -storepass changeit
$JAVA_HOME/bin/keytool -export -alias tomcat -storepass
changeit -file /root/server.crt
Then changing the $CATALINA_BASE/conf/server.xml, 开发者_Go百科in-commenting this:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/root/.keystore" keystorePass="changeit" />
After starting Tomcat, I get this Exception:
INFO: Initializing Coyote HTTP/1.1 on http-8080
30.06.2011 10:15:24 org.apache.tomcat.util.net.jsse.JSSESocketFactory getStore
SCHWERWIEGEND: Failed to load keystore type JKS with path /root/.keystore
due to Invalid keystore format
java.io.IOException: Invalid keystore format
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:633)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38)
at java.security.KeyStore.load(KeyStore.java:1185)
When I look into the keystore with keytool -list
I get
root@host:~# $JAVA_HOME/bin/keytool -list
Enter key store password: changeit
Key store type: gkr
Key store provider: GNU-CRYPTO
Key store contains 1 entry(ies)
Alias name: tomcat
Creation timestamp: Donnerstag, 30. Juni 2011 - 10:13:40 MESZ
Entry type: key-entry
Certificate fingerprint (MD5): 6A:B9:...C:89:1C
Obviously, the keystore types are different. How can I change the type and will this fix my problem? Thank you!
It looks like the keytool
you're using the GNU implementation, not the one from Oracle/Sun or OpenJDK. From the output of keytool -list
, it generates a gkr
store type, which is a GNU Keyring Store.
I'm not sure whether your run Apache Tomcat using an OpenJDK or Sun/Oracle JRE, in which case this format wouldn't be supported without additional security providers.
If you run Apache Tomcat with a GNU JRE that supports gkr
(or at least a JRE where you've added a security provider that supports gkr
), you can try keystoreType="gkr"
in your <Connector />
configuration.
However, the easiest is probably to use keytool
as provided by Oracle or OpenJDK and use the JKS storetype (which would be the default type if you run Apache Tomcat with the OpenJDK or Sun/Oracle JRE). It was probably installed with your JRE but it doesn't look like the $JAVA_HOME
you're using point to an Oracle or OpenJDK JAVA_HOME
. Some Linux distributions have mechanisms to install multiple JREs and configure links (update-alternatives
in the Debian/Ubuntu family).
(As a side-note, it's usually not recommended to run Apache Tomcat as root, which you seem to be doing since $HOME/.keystore
is /root/.keystore
in your example.)
As Bruno said, I used the "wrong" keytool!
There are those keytools on my Debian 6 installation
root@host:~# locate keytool
/etc/alternatives/keytool
/etc/alternatives/keytool.1.gz
/root/glassfish3/jdk/bin/keytool
/root/glassfish3/jdk/jre/bin/keytool
/root/glassfish3/jdk/man/ja_JP.eucJP/man1/keytool.1
/root/glassfish3/jdk/man/man1/keytool.1
/root/glassfish3/mq/bin/imqkeytool
/root/glassfish3/mq/bin/imqkeytool.exe
/usr/bin/gkeytool
/usr/bin/gkeytool-4.4
/usr/bin/keytool
/usr/bin/jre1.6.0_25/bin/keytool
/usr/bin/jre1.6.0_25/man/ja_JP.eucJP/man1/keytool.1
/usr/bin/jre1.6.0_25/man/man1/keytool.1
/usr/lib/jvm/java-1.5.0-gcj-4.4/bin/keytool
/usr/lib/jvm/java-1.5.0-gcj-4.4/jre/bin/keytool
/usr/lib/jvm/java-1.5.0-gcj-4.4/man/man1/keytool.1.gz
/usr/lib/jvm/java-6-sun-1.6.0.24/bin/keytool
/usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/keytool
/usr/lib/jvm/java-6-sun-1.6.0.24/jre/man/ja/man1/keytool.1.gz
/usr/lib/jvm/java-6-sun-1.6.0.24/jre/man/man1/keytool.1.gz
/usr/lib/jvm/java-6-sun-1.6.0.24/man/ja/man1/keytool.1.gz
/usr/lib/jvm/java-6-sun-1.6.0.24/man/man1/keytool.1.gz
/usr/share/man/man1/gkeytool-4.4.1.gz
/usr/share/man/man1/gkeytool.1.gz
/usr/share/man/man1/keytool.1.gz
/var/lib/dpkg/alternatives/keytool
root@host:~# echo $JAVA_HOME
/usr
Now I used
/usr/lib/jvm/java-6-sun-1.6.0.24/bin/keytool -genkey -v -keyalg RSA -alias tomcat
-keypass changeit -storepass changeit
To create the keystore- file. Tomcat starts without any problems!
Try specifying your storetype: -storetype JKS
(see: http://download.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html)
If you use the GNU jvm and keytool, you can add the following options to the Tomcat connector in server.xml in order get it to work: keystoreType="gkr" algorithm="JessieX509"
The algorithm is mentioned at here
精彩评论